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Abstract 

In this paper, security of practically decoy state quantum key distribution under fake state attack 
is considered. If quantum key distribution is insecure under this type of attack, decoy sources can 
not also provide it with enough security. Strictly analysis shows that Eve should eavesdrop with the 
aid of photon-number-resolving instruments. In practical implementation of decoy state quantum 
key distribution where statistical fluctuation is considered, however, Eve can attack it successfully 
with threshold detectors. 
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Quantum key distribution (QKD) is an important application of quantum information, 
with which two distant parties (the information sender, Alice and the information receiver, 
Bob) can share a string of secure key with the presence of an eavesdropper, Eve l|-|3j]. It has 
been proven that quantum principles can provide it with unconditional security when it is 
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implemented with ideal devices |4H6|. In practical implementation of QKD, however, real- 
devices are taken used. They are imperfect and apt to some sophisticated eavesdropping 



17] , part of which have been realized with lab settings. Furthermore, in QKD realization, 
Alice and Bob's experimental conditions are assumed to be based on present technology but 
Eve's ability is only limited by quantum principles. Then those eavesdropping schemes still 
lacking experimental demonstration should also be considered seriously. Recently, fake state 
attack is experimentally proven to be fatal to some commercial quantum key distribution 
systems, with which the latent eavesdropper can obtain full information shared between 



Alice and Bob without been detected 
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The fake state attack is a type of intercept-resent attack, where Eve blocks all Alice's 
pulses and measures them on randomly chosen bases. Then she prepares her measurement 
results on fresh pulses and transfers them to Bob. At the same time, she controls Bob's 
detectors to work in linear mode: if Bob has the same basis choices as Eve, Eve's pulses will 
provide enough power above the threshold value to generate triggers and Bob gets Eve's 
bit values; when their basis choices are different, however, Eve's pulses are split below the 
threshold intensity and unable to introduce click on Bob's detectors. It is apparent that 
Eve's intervention introduces tolerably error rate and generates identical key string as the 
legal users'. Then Alice and Bob will acknowledge the validity of their key and ignore 
Eve's presence. With a half probability, Bob and Eve will have the same choices on their 
measurement bases. Thus Eve may eavesdrop on their communication successfully if the 
combining efficiency of the quantum channel and the measurement devices is less than ~. 

Suppose Alice has a weaken coherent source whose photon number obeys Poisson distri- 
bution 

PnM = (1) 

where fi is average intensity of the source and n is photon number of the incoming pulses. 
She randomly chooses her bases and prepares her bit values on the pulses, then she transfers 
them to Bob. To avoid being caught on line, Eve must make Bob's gains and error rates 
identical to that when there is no eavesdropper. That is, Eve must make her eavesdropping 



satisfy 

efVfEZiPniti = Er=o^M{l-(l-P rf ) 2 (l-^) n -(l-P rf ) ( 2 ) 
x [(l- V e d ) n -(l- V + r]e d ) n ]}. 

Here rjf is the probability Eve will prepare fresh pulses according to her measurement re- 
sults, e/ is the probability she prepares wrong bit value on the fresh pulses. And e d is the 
probability of misalignment between Alice and Bob. If Eve can keep alignment between her 
measurement bases and Alice's preparing bases, and that between her preparing bases and 
Bob's measurement bases at the same time, she can control the error rate on Bob's results 
at her will. Furthermore, practical QKD system is very lossy 18| . the relationships in Eq. 



(2) should be simulated by Eve easily. Thus if Eve can blind Bob's detectors, the QKD 
system will be totally insecure. 

In practical implementation of QKD, decoy sources are usually added in 19H2JJ. They 
have the same characters with that of signal source apart from their average intensities, that 
is 

Vn(v) = —^e v . (3) 

Alice randomly encodes her bit value on signal source or decoy sources. Eve can not tell 
the decoy sources from the signal source, then she must treat all sources in the same way. 
Furthermore, she should mock the loss and noise in the quantum channel. Or else, her 
intervention will inevitably introduce different disturbances on Bob's results from different 
sources. It is easy to verify that the relationship in Eq. (2) can not be met for the signal 
source and the decoy sources at the same time. In order to eavesdrop on the decoy state 
QKD, Eve should have the ability of differentiating photon number, with which she can 
treat pulses with the same photons similarly. 

In photon-number-splitting (PNS) attack, Eve is assumed to have ability of differentiating 
photon number in pulses without affect their polarizations Then quantum nondemoli- 

tion (QND) measurement on photon number is required, and this is still missed with present 
technology. In the fake state attack, however, Eve can measure polarizations on the pulses 
directly, which means she can get photon number and polarization of the pulses at the same 
time with photon- number-resolving detectors 22|, |23|. If she has the ability of differentiate 
photon number, she can treat pulses with the same photons in a similar way. In order to 
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simulate the lossy and noise for all sources, Eve's eavesdropping should satisfy 
W = l- (l-p d ) 2 (l-v) n , 

44 = 1 - (1 - p d )\l - v) n - (1 - Pd)[(l - ve d ) n -(1-V + Ve d ) n }. 

Here r)£ and e{ have similar definition as that in Eq. (2), but they corresponds to pulses 
with definite photon number n. Eve detects nothing from Alice when n = 0, however, 
she should prepare random-bit-value pulses with probability Ap d — 2p 2 d in order to simulate 
dark count rate on Bob's detectors. Noticing that Eq. (4) has nothing to do with p n (n) 
and p n (v), thus Eve can eavesdrop on the decoy state QKD successfully if she has a set of 
photon- number- resolving detectors. 

Now it is interesting whether Eve can eavesdrop on the decoy state QKD protocol without 
photon-number-resolving detectors. However, as mentioned before, eavesdropping on the 
decoy sources should have similar relationships as those in Eq. (2), that is, 

btT^iPnW = EZ Pnm-(i-p d ) 2 (i-vn 

e f VfJ2ZlPn^) = Er=0PnW{l-(l-p d ) 2 (l-^) n -(l-%) (5) 

x [(l- V e d ) n -(l-rj + T]e d ) n }}. 

And one can find that there are not such rjf and e/ to meat the relationships in Eq. (2) 
and those in Eq. (5) at the same time. However, considering the imperfection of practical 
implementation of decoy state QKD, the relationships in Eq. (2) and Eq. (5) may be loosen. 

Experimentally, Alice and Bob's key is distributed within a finite period of time, generally 
in several hours [24J. Then the pulses generated by Alice should also be finite. We assume 
the number of pulses emitted from the sources is iV = 10 10 in the following discussion. 
If Bob's expectingly detections is p det under ideal circumstance, and his detecting events 
with finite resources is p' det , p' det should deviate from p det with a small fluctuation S Pdet . The 

7V<5 2 

probability P(\p de t — p' det \ > &p det ) can be estimated to be less than q = exp( — 4^7)- If 

<5 2 E * 

we require q = exp(— 25), -^ £l can be estimated to be 10 -8 approximately, and 5 Pdet can be 
calculated as 10~ A p det accordingly. Thus in practical implementation of fake state attack, 
Eve should ensure Bob's detecting events satisfy 

1 1 

Pdet ~ 10~ 4 pj et < P det < Pdet + 10" p 2 det . (6) 

Strictly speaking, the statistical fluctuations on different sources are usually not the same 
as the number of pulses generated from different sources may be not assigned to be the same. 
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At the same time, the probabilities of detecting events for different sources are not identical 
because of their disparate intensities. As the total number of the pulses is N, the practical 
number of pulses assigned for different sources should be less than this value, the practically 
tolerant fluctuation should be greater than that in Eq. (6). It means Alice and Bob should 
accept the validity of their results if the statistical fluctuations on the detecting events from 
every sources satisfy the relationship in Eq. (6). And similar relationship can be obtained 
for the gain of QBER on every source, that is 

i _ i 

p err - 10" 4 p e 2 rr < p' err < p err + lCT^eV (7) 

It is apparent that Bob's expecting detecting results should be Pdet{n) = 1 — (1 —Pd) 2 e~ m 
for signal source, and pdetiy) = 1 — (1 — Pd) 2e ~ r]V f° r decoy sources. And the actual de- 
tecting events for them should be p' det (n) = §77/(1 — e _M ) and p' det {y) = §?7/(l — e~ u ) 
respectively. Similarly, the expecting error rate for signal source and decoy sources are 
PerM = \ ££=oP»M{l " (1 - Pdfil - V) n " (1 " PdW ~ Ve d ) n - (1 - V + Ve d ) n }} and 

Perriv) = \ En=oPn("){l " (1 ~ Pd?{l ~ VT ~ (1 ~ Pd)[(l - ^dY — (1 — 7/ + Tje d ) n ]}. And 

the actual error rate for them can be calculated as p' err (n) = \efT)f{l — e~ M ) = efp' det (/j) and 

P'erri") = l e fVf(^ ~ e'") = e fP ' d , 



det\ 



We can estimate the feasibility of Eve's attack with the experimental parameters in 18], 
that is, pd = 8.5 x 10~ 7 , t]b = 4.5%, e d = 3.3% and loss coefficient a in the quantum 
channel is 0.21 dB/km. If the transmission distance between Alice and Bob is 120km, one 
can obtain r\ = 1.359 x 10~ 4 . When there are only two sources, that is, a signal source 



with intensity \i = 0.479 and a weaker decoy state with intensity v = 0.127 24|. As the 
statistical fluctuations on the the results of signal source satisfy the relationships in Eq. (6) 
and Eq. (7), its r/f should range from 3.467 x 10 -4 to 3.553 x 10~ 4 , and its e/ can range 
from 4.178 x 10~ 2 to 4.806 x 10~ 2 . Similarly, statistical fluctuation on the the results of 
weaker decoy source should satisfy the relationships in Eq. (6) and Eq. (7), its rjj can be 
calculated to range from 3.106 x 10~ 4 to 3.252 x 10 -4 , and its e/ ranges from 6.705 x 10~ 2 
to 8.307 x 10 -2 . As there is no overlap on the parameters of both sources, it seems that Eve 
can not eavesdrop on the decoy state QKD protocol with threshold detectors. 

Noticing that the dark count rate functions importantly in practical implementation of 
decoy state QKD protocol when the transmission distance is comparably long. Furthermore, 
though threshold detectors can not tell the photon number in the incoming pulses, they 
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can differentiate vacuum pulses from non-vacuum pulses. Then it may help Eve with her 
eavesdropping if she treats the vacuum pulses and non- vacuum pulses in different ways. She 
prepares random-bit-value pulses with probability 4p d — 2p d for Bob when she detecting 
nothing from Alice. It is easily verified that Eve's eavesdropping results on the vacuum 
pulses coincide well with what Bob expecting for. When there is nonvacuum pulses, she 
makes fresh pulses according to her results with probability 77, and introduces error on 
them with probability e d - Here Eve makes error on the nonvacuum pulses with probability 
ed because errors introduced on nonvacuum pulses are mainly introduced by misalignment 
between Alice and Bob. Then for signal source, one can obtain 

bfZ^iPnM = En=iPn^)[i-a-p d ni-vn 

x [(i-r,e d ) n -(l-ri + rie d ) n ]}. 

Similar relationship can also be obtained for decoy source. 

The probability of expecting detections p de t both for signal source and decoy source can 
still be calculated as that above. However, the actual detections p' det for them are altered 
slightly. That is, p' d M = e""[l - (1 - p d f] + ±77,(1 - e"") and p' det {v) = e~ v [\ - (1 - 
Pd) 2 } + jVf(l ~ e ~")- Similarly, the expressions for p err (fj) and p err (^) are still the same. 
And p' err (fi) and p' err {y) should be recalculated as |e _M [l — (1 — Pd) 2 } + ^ ^77,(1 ~ e ~^) an d 
\e~ v [\ — (1 — Pd) 2 } + ^^77,(1 ~~ e ~ v ) respectively. As their statistical fluctuations should still 
be bounded with the relations in Eq. (6) and Eq. (7). With simple calculation, we find 
there is no such 77, for signal source, and 77, for decoy source ranges from 2.855 x 10~ 4 to 
3.001 x 10 -4 . That is, this scheme is still inefficient in helping Eve to eavesdrop on decoy 
state QKD protocol with threshold detectors. 

Eve takes control the whole quantum channel, however, she may not set her eavesdrop 
point adjacent to Alice's lab. Her intervention site may be anywhere between Alice's and 
Bob's labs. We will show that this change will help Eve to Eavesdrop on the decoy state 
QKD protocol successfully with threshold detectors. Let the distance between Alice's lab 
and Bob's eavesdropping site be / km, it is apparent smaller I requires ability to discriminate 
photon number in the pulses, and larger / may lead to failure of her blinding attack. Then 
the optimal site should have largest I where Eve can carry out her eavesdropping successfully. 
The transmission efficiency at this point can be calculated as r?z = 10~to. And the statistical 
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distribution in the incoming pulses can be represented as 



(9) 



If Eve takes her eavesdropping scheme as that in Eq. (8), one can obtain 

hfEZiPM = £r=i^)[i-(i-^) 2 (W) n ], 

v f e d J2n=iPM = ZZiPMn-a-p d ni-vr-(i-P d ) (io) 

x [(i-r/e d ) n -(l-r/ + rfe d ) n ]}, 

with rf = r/blO w - for signal source. And similar relationships can be obtained for decoy 
source 

kvfY^M") = EZxPim - (i - p d m - vn 

v f e d J2ZiP l n(v) = J2ZiPM{i-(i-p d ) 2 a-vT-(i-p d ) (ii) 

x [{i-rf ei ) n -{l-rf + ie d ) n \}. 
As Eve's detecting efficiency is very lower, it is easy to verify that Eve can set I = 120 km. 
We can then obtain rjf ranging from 8.893 x 10 -2 to 9.120 x 10~ 2 for signal source, and it 
ranges from 8.775 x 10~ 2 to 9.229 x 10~ 2 for decoy source. Then Eve can launch fake state 
attack at I = 120 km with threshold detectors just by preparing what she have measured 
with probability rjf ranging from 8.893 x 10~ 2 to 9.120 x 10~ 2 , and she introduces error on 
them with probability e d . 

Then when statistical fluctuation is considered, Eve can eavesdropping on decoy state 
QKD even with threshold detectors. She may fail to eavesdrop successfully when her inter- 
vention site is closer to Alice's lab, and numerical simulation shows it may be easier for her 
to attack on this protocol when her intervention site is farer away from Alice's lab. This 
is because the nearer to Bob's lab, the greater probability of single-photon pulses for non- 
vacuum pulses can be obtained. Then Eve can omit the effect of multi-photon pulses treat 
all pulses as single photons. In practical decoy state QKD protocol, Alice may introduce 



vacuum decoy state to estimate the dark counts on Bob's detectors. [24|. As Eve prepares 
random-bit-value pulses with probability 4p d — 2p 2 d when she detects nothing, however, the 
statistical fluctuations on the vacuum decoy state can be verified to be met automatically. 
In order to understand Eve's eavesdropping better, we give a simulation numerically on the 
relation between Eve's rjf and her intervention site I, as is plotted as that in Fig. 1. It shows 
that there is not suitable r)f and for signal source when I < 10 km. Furthermore, Eve can 



not launch her fake state attack on this protocol when her intervention site I is less than 30 
km as there is no overlap on rjf for both sources. When I is greater than 45 km, one can 
find the suitable rjf for signal source also suits for decoy source. 




Eve' intervetion site (km) 



FIG. 1: Relationship between Eve's probability for her to prepare fresh pulses according to her 
results, r/f and her intervention site, I. It suitable value should be chosen from the area greater 
than the lower bounds and less than the upper bounds of rjf for both sources. 

It has been proven that some commercial QKD systems may be totally insecure under 



fake state attack 14j-|l7||. thus we hope that decoy states is efficiency in combatting against 
this brutal attack. As we have shown above, however, decoy states can not also provide them 
with enough security. We have shown that Eve can launch her fake state attack successfully. 
Especially, we have proven that she can eavesdrop on the decoy state QKD without any 
photon-number-resolving instrument when statistical fluctuation is considered on Bob's re- 
sults. With the presence of new technology, especially with improvement on Bob detecting 
efficiency, Alice and Bob may overcome this loophole. However, other loopholes still un- 
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known to people may also threaten the security of practical QKD. And it has been claimed 
QKD is superior to classical cryptography as quantum principle provide it with physically 
secure. In order to avoid the mouse and cat game between legal users and eavesdropper in 

-bai- 
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QKD, new protocols should be presented to combat all these loopholes in principle 
This work is sponsored by the National Natural Science Foundation of China (Grant No 
10905028) and HASTIT. 
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